Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 215546
Alias:
Product:
Component:
Status: RESOLVED
Resolution: WONTFIX
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Antek Grzymała <awaria@chopin.edu.pl>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 215546 depends on: 209460 Show dependency tree
Bug 215546 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-31 10:20 0000 
The vmsplice local root exploit patch should be included for all affected
gentoo-sources kernels in the tree.

I am currently stuck with kernels 2.6.22* because of the ioremap bug in all
later kernels (see bugs: http://bugzilla.kernel.org/show_bug.cgi?id=10077 and
http://bugzilla.kernel.org/show_bug.cgi?id=9955). Possibly there are a lot of
other people forced to stick with the 2.6.22 kernel and there's no reason why
the exploit should be patched only in >=2.6.23.

Reproducible: Always

------- Comment #1 From Robert Buchholz 2008-03-31 12:50:09 0000 ------- 
Please note that there are several bugs unfixed within the 2.6.22 version of
gentoo-sources, among them bugs 158788, 171888, 188644, 196862, 198997, 199312,
199691, 199845, 200769, 202235, 202290, 209460 and 213811.

I'm pulling in the kernel team for advice, because it is fixed in
gentoo-sources as far as the security policy is concerned, and this would only
be an enhancement.

------- Comment #2 From Daniel Drake 2008-03-31 13:19:59 0000 ------- 
gentoo-sources-2.6.22 is no longer supported and will not be updated.
gentoo-sources-2.6.24 is currently the only supported version.

------- Comment #3 From Robert Buchholz 2008-03-31 13:26:46 0000 ------- 
Thanks for making that clear, Daniel.

------- Comment #4 From Antek Grzymała 2008-03-31 13:29:00 0000 ------- 
(In reply to comment #2)

> gentoo-sources-2.6.22 is no longer supported and will not be updated.

Then it should either be removed from the tree, masked or patched. It's a
simple fix, two minutes' worth of work. I think keeping unmasked insecure
packages is neither in Gentoo's interest nor the security policy.

------- Comment #5 From Robert Buchholz 2008-03-31 14:38:13 0000 ------- 
(In reply to comment #4)
> (In reply to comment #2)
> 
> > gentoo-sources-2.6.22 is no longer supported and will not be updated.
> 
> Then it should either be removed from the tree, masked or patched. It's a
> simple fix, two minutes' worth of work. I think keeping unmasked insecure
> packages is neither in Gentoo's interest nor the security policy.

As far as our security policy goes, only the latest available ebuild for each
source is supported. I see how that is not desirable for both developers and
users, and we are working on improving that. Your help is very much appreciated
there, please talk to me on irc or via mail.

------- Comment #6 From Daniel Drake 2008-03-31 14:45:03 0000 ------- 
If you have time, you should file bugs for any issues preventing you from
running the latest kernel. We are then at least aware of the issues, can track
them, and can maybe help solving them. When marking new kernels stable (and
ending support for older ones) we always review outstanding regression bugs and
base decisions from that. We can't consider regressions that nobody has told us
about :)
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug